MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9e53fd24c289e9e53680180b912fb62597c480c8db45942e9bfff671e7166dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Gh0stRAT
Vendor detections: 7
| SHA256 hash: | 9e53fd24c289e9e53680180b912fb62597c480c8db45942e9bfff671e7166dde |
|---|---|
| SHA3-384 hash: | 3cbecefd36c1ac13c4e9ec97aed5f9eb6dccec6c5a56973a083d082ef6e9711ec2e30e226ca95ee14f62ffd3bf8351d1 |
| SHA1 hash: | 337bfac9b058a635025153f75fd803d44acc3535 |
| MD5 hash: | 4f87e0ab71fe2b64e2ac425d98e65c49 |
| humanhash: | georgia-mexico-enemy-october |
| File name: | 9e53fd24c289e9e53680180b912fb62597c480c8db459.dll |
| Download: | download sample |
| Signature | Gh0stRAT |
| File size: | 389'632 bytes |
| First seen: | 2021-10-01 18:07:55 UTC |
| Last seen: | 2021-10-01 18:58:08 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | fe3191a2588dcff951fb8f5b47b8a717 (1 x Gh0stRAT) |
| ssdeep | 6144:CyvSeaWLcJ57b+j1fb1euKsG9m/kw/2yzmcmPdifh/YhYxgBS4h+ycPnTDj/Gxxi:Cy6aLA5b+Bb1ePsG9u28mdiJga0gDG/6 |
| Threatray | 2 similar samples on MalwareBazaar |
| TLSH | T18684234673B6D8B4F4A069B670BF59577064940837B2DFCA44E82372346AB4B3E2361E |
| Reporter |  abuse_ch |
| Tags: | dll Gh0stRAT |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 43.129.192.59:7777 | https://threatfox.abuse.ch/ioc/229543/ |
Intelligence
File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zegost
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Result
Threat name:
Mimikatz
Detection:
malicious
Classification:
troj.evad.bank.spyw
Score:
100 / 100
Signature
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Detected VMProtect packer
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected Mimikatz
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Magania
Status:
Malicious
First seen:
2021-09-30 17:39:00 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Result
Malware family:
n/a
Score:
10/10
Tags:
suricata vmprotect
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates connected drives
Blocklisted process makes network request
VMProtect packed file
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39
Unpacked files
SH256 hash:
606cf7c09b1f243869e6eb51dbeecda95b48f5ebe4c9a5e4b66ce221c0310a08
MD5 hash:
94938f3cfd640e65f94ff609f9ca4d02
SHA1 hash:
6a08f4bd03787f69dd4ef3883ac3ae0711f46c22
SH256 hash:
b921a68cb198d7d42031f39f1fde8721cfcedeb07b6cccc11b757abb10ea35e5
MD5 hash:
7df115753a4304b2a702b8a89cb49708
SHA1 hash:
d9941cc335c87ff08f191cedad455357d59a04fc
SH256 hash:
9e53fd24c289e9e53680180b912fb62597c480c8db45942e9bfff671e7166dde
MD5 hash:
4f87e0ab71fe2b64e2ac425d98e65c49
SHA1 hash:
337bfac9b058a635025153f75fd803d44acc3535
Malware family:
Mimikatz
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.24
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | GhostDragon_Gh0stRAT |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report |
| Reference: | https://blog.cylance.com/the-ghost-dragon |
| Rule name: | INDICATOR_EXE_Packed_VMProtect |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with VMProtect. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables calling ClearMyTracksByProcess |
| Rule name: | MALWARE_Win_Zegost |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Zegost |
| Rule name: | Mimikatz_Strings |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Mimikatz strings |
| Reference: | not set |
| Rule name: | Mimikatz_Strings_RID2DA0 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Mimikatz strings |
| Reference: | not set |
| Rule name: | Winnti_NlaifSvc |
|---|---|
| Author: | Florian Roth |
| Description: | Winnti sample - file NlaifSvc.dll |
| Reference: | https://goo.gl/VbvJtL |
| Rule name: | Winnti_NlaifSvc_RID2CFF |
|---|---|
| Author: | Florian Roth |
| Description: | Winnti sample - file NlaifSvc.dll |
| Reference: | https://goo.gl/VbvJtL |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.